Hackers spear-phish, infiltrate French Ministry of Finances

Deliberate, targeted, spear-phishing attacks against the French Ministry of …

Hackers using spear-phishing techniques broke into the French Ministry of Economics, Finances, and Industry last year, compromising at least 150 machines and exfiltrating documents related to the G-20 organization, in an attack described as "determined and organized." The perpetrators of the attack are unknown, but investigators have discovered that information was sent to servers located in China.

The break-in was reported in Paris Match, and has since been confirmed by Minster of Budget François Baroin. He also clarified that personal tax records were not accessed by the hack.

In November last year, workers at the ministry were sent e-mails with attachments containing trojans. Running these trojans infected their machines, and the infection then spread throughout the ministry's network. The attack and the e-mails are described as deliberately targeted—not generic phishing attacks intended to compromise bank details or credit card numbers, but spear-phishing attacks, created to specifically compromise particular individuals within the French ministry. The French authorities insist that no classified material was released—such material is restricted to a separate intranet. The information taken concerned the G-20 economic group. The G-20 organization is this year chaired and hosted by France, explaining why Paris should be the target. China is also a member of the group.

The hack was discovered two months ago, and has been under investigation by ANSSI, the French Network and Information Security Agency, ever since. According to Patrick Pelloux, director general of ANSSI, some 20-30 investigators have been working "day and night" on the case ever since the hack's discovery. Though the investigators are unsure who performed the attack, there are hints at a possible Chinese involvement: information from the ministry was sent to a Chinese server. However, that could equally be a result of the real attackers attempting to cover their tracks.

Pelloux described the attack as "professional, determined and organized," not "three PCs in a garage." However, he said that this did little to aid the hunt for the perpetrators: hackers for hire can be found readily.

Similar attacks were made against the Canadian Finance Department and Treasury Board in January. As in the French case, spear-phishing was used to compromise machines in the first place, and similarly, data was offloaded to Chinese servers. It may be coincidence, but Canada was the nation hosting and chairing the G-20 group last year.

Spear-phishing techniques and targeted attacks pose a unique security problem. Though they constitute a minority of all attacks—indiscriminate mass phishing attacks are far more common—they're much harder to guard against. Typical anti-virus software is ineffective against such malware, because anti-virus vendors can only provide detection signatures for those pieces of malware that they have been able to process and analyze themselves. That's not a problem for mass attacks, but it's much harder to do if a trojan is sent to just a few people working at a particular company or organization. When combined with exploitation of unreported security flaws—such as were used in Stuxnet and the Aurora attacks against Google in 2009—they can be extremely effective and hard to prevent.

So it looks like HBGary Federal did manage to find some work, after all.

Heh. HBGary and HBGary Federal were actually playing this one from both ends.

They have a kind of heuristic malware detection engine which attempts to categorize malware not based on signature, but on generic traits (for example, using an executable packer, installing keyboard hooks, injecting code into other processes, etc.). This software aims to detect and trap even unknown malware, which makes it of particular relevance to organizations trying to guard against targeted attacks (against which signature-based tools are essentially useless).

Secondly, they were involved in writing software to do exactly what was done to France and Canada. Moreover, Aaron Barr was investigating ways in which spear-phishing could be performed more effectively, including the use of social networks to both learn more about the target, and possibly even gain the target's trust. Honestly, I think the justification for his research was pretty legitimate--it's really too bad he stirred up the Anonymous hornets' nest.

As any fule kno, the best way to monetize a war is to sell weapons to both sides. So it is with cyberwar.

Ummm, no it isn't!1 . The resulting thrashing he received was exactly what was needed to take his arrogant ass down.1.1. Showed the world what companies like HBGary do (can expand this further)2. It resulted in some of the best articles I have ever read on Ars along with some of the funniest graphics!3. I was running out of popcorn reading said articles!!!

Ummm, no it isn't!1 . The resulting thrashing he received was exactly what was needed to take his arrogant ass down.1.1. Showed the world what companies like HBGary do (can expand this further)2. It resulted in some of the best articles I have ever read on Ars along with some of the funniest graphics!3. I was running out of popcorn reading said articles!!!

Yes, but, I think there's a legitimate avenue of research here, and I would like to know what he found about the nuclear installation.

So it looks like HBGary Federal did manage to find some work, after all.

Heh. HBGary and HBGary Federal were actually playing this one from both ends.

Ah, don't they all?"Pay me to protect you or some bad things are going to happen..."

DrPizza wrote:

They have a kind of heuristic malware detection engine which attempts to categorize malware not based on signature, but on generic traits (for example, using an executable packer, installing keyboard hooks, injecting code into other processes, etc.).

Hum... that sounds a lot like tripwire techniques, or/and SElinux... but instead of detecting it prevents such unauthorised patterns from being usable.

DrPizza wrote:

This software aims to detect and trap even unknown malware, which makes it of particular relevance to organizations trying to guard against targeted attacks (against which signature-based tools are essentially useless).

Wait... since when (post-win3.1) signature based patterns where useful against anything? Criminal organizations have been using self-rewriting (or "chameleon") payloads in mass attacks for more than 5 years now...

DrPizza wrote:

I think the justification for his research was pretty legitimate--it's really too bad he stirred up the Anonymous hornets' nest.

Erhhgg... in security circles, that kind of "research" would be seen as recycling old, used tricks. Nothing really new, and nothing any security-conscious organization should be worried about anymore...

DrPizza wrote:

As any fule kno, the best way to monetize a war is to sell weapons to both sides. So it is with cyberwar.

Actually, the best money-making part of the business is second-hand weapons. Seems like that is something HBGary got right...

Hum... that sounds a lot like tripwire techniques, or/and SElinux... but instead of detecting it prevents such unauthorised patterns from being usable.

Perhaps a little, but it detects things that are typically themselves legitimate. For example, packed binaries are not themselves an indication of malicious intent--programs like uTorrent use packed binaries to make them smaller to download. Installing keyboard hooks similarly; there are legitimate reasons to do this (for macro recorders, for example). It's the combination of features, any one of which on its own might be considered harmless, that together give a program the appearance of malware.

Quote:

Wait... since when (post-win3.1) signature based patterns where useful against anything? Criminal organizations have been using self-rewriting (or "chameleon") payloads in mass attacks for more than 5 years now...

Polymorphic viruses date back to 1990 (at least, that's the earliest documented example). Nonetheless polymorphic programs are still susceptible to signature-based detection. What changed is the nature of the signatures; they're no longer straight-forward pattern matches.

Quote:

Erhhgg... in security circles, that kind of "research" would be seen as recycling old, used tricks. Nothing really new, and nothing any security-conscious organization should be worried about anymore...

And yet security-conscious organizations get pwned, something I suspect is only going to become more common. I think they should indeed be worried about it.

Since it's the US, I wouldnt be surprised if HS or someone else paid him a visit if he disclosed what he found at the nuclear installation.National security is at risk!!! (From what I hear, even though in this case it might be true, that seems to be their fav line)

I cannot find a source in english for this right know, but ANNSI claimed they were sent a Trojan through a 0 day PDF exploit. The file was sent by mail, pretending to be sent by a coworker the recipient just had a meeting with, with a text about the meeting. Or so it seems. They realized they were attacked weeks after it started, when a guy heard about an email he was supposed to have sent and realized he didn't do it. Nobody noticed anything wrong in the meantime! So it seems there was some kind of social engineering behind this, or else people working at the ministry are so dumb we French should worry that they could send the State finances to Nigeria...

So it looks like HBGary Federal did manage to find some work, after all.

Heh. HBGary and HBGary Federal were actually playing this one from both ends.

They have a kind of heuristic malware detection engine which attempts to categorize malware not based on signature, but on generic traits (for example, using an executable packer, installing keyboard hooks, injecting code into other processes, etc.). This software aims to detect and trap even unknown malware, which makes it of particular relevance to organizations trying to guard against targeted attacks (against which signature-based tools are essentially useless).

Secondly, they were involved in writing software to do exactly what was done to France and Canada. Moreover, Aaron Barr was investigating ways in which spear-phishing could be performed more effectively, including the use of social networks to both learn more about the target, and possibly even gain the target's trust. Honestly, I think the justification for his research was pretty legitimate--it's really too bad he stirred up the Anonymous hornets' nest.

As any fule kno, the best way to monetize a war is to sell weapons to both sides. So it is with cyberwar.

How Reaganesque of you! (Don't get me wrong, I agree. Just adding some commentary.)

I cannot find a source in english for this right know, but ANNSI claimed they were sent a Trojan through a 0 day PDF exploit. The file was sent by mail, pretending to be sent by a coworker the recipient just had a meeting with, with a text about the meeting. Or so it seems. They realized they were attacked weeks after it started, when a guy heard about an email he was supposed to have sent and realized he didn't do it. Nobody noticed anything wrong in the meantime! So it seems there was some kind of social engineering behind this, or else people working at the ministry are so dumb we French should worry that they could send the State finances to Nigeria...

Oh, interesting, is there a source you can link? I don't mind if it's not English language. I did look for further info, but I'm not really sure what the best resources are in the francophone world.

I cannot find a source in english for this right know, but ANNSI claimed they were sent a Trojan through a 0 day PDF exploit. The file was sent by mail, pretending to be sent by a coworker the recipient just had a meeting with, with a text about the meeting. Or so it seems. They realized they were attacked weeks after it started, when a guy heard about an email he was supposed to have sent and realized he didn't do it. Nobody noticed anything wrong in the meantime! So it seems there was some kind of social engineering behind this, or else people working at the ministry are so dumb we French should worry that they could send the State finances to Nigeria...

The former type is what you are looking for, the latter is not. Real social engineering combined with some background on the target is rarely discovered without some other indicator until well after the fact, if at all.

Quote:

Nobody noticed anything wrong in the meantime!

Who would honestly notice one email in the dozens/hundreds daily that fits the pattern and is context correct for your organization? If anyone raises their hand, its only because they are full of shit and/or captain hindsight.

Who would honestly notice one email in the dozens/hundreds daily that fits the pattern and is context correct for your organization? If anyone raises their hand, its only because they are full of shit and/or captain hindsight.

Yes, I understand well. But my own experience with the french administration (I am a civil servant) is that the level of computer training is extremely low. I work daily with somebody who cannot add two documents to an email. He understood the right click - send to recipient but he doesn't know any other way... There has been no massive training of people who began working before the computerization (which is quite recent, in some services it happened in the first half of the 2000 decade). A large part of the administration still uses XP and IE 6 with very old pro softwares.

When the IT guys talk to the employees about good security practices, half of the audience doesn't understand a word about it, and the other half doesn't care...

I wouldn't be surprised if a very dumb, and quite massive, behaviour opened the door for this attack, and I am quite sure that nobody there is able to detect any strange thing in their mails beside the "mail doesn't work".

The paper linked before explains that when they discovered that their mail system was compromised, they still used it daily for three months before the ANSSI came out with a patch. A guy from the ministry is quoted saying "we used it with caution and switched to paper or faxes for important documents"...

If they would use Linux, they would not be able to execute attachments, because they are saved without execution bit. (Those who have enough knowledge how to do it, also understand why its dangerous)

Plus for another type of attack - AppArmor or SElinux setup for pdf viewers, etc. By the way Ubuntu linux comes with already available AppArmor setup for evince pdf viewer /etc/apparmor.d/usr.bin.evince

As any fule kno, the best way to monetize a war is to sell weapons to both sides. So it is with cyberwar.

"They say that the best weapon is the one you never have to fire. I respectfully disagree. I prefer the weapon you only have to fire once. That's how Dad did it, that's how America does it, and it's worked out pretty well so far."

If they would use Linux, they would not be able to execute attachments, because they are saved without execution bit. (Those who have enough knowledge how to do it, also understand why its dangerous)

Plus for another type of attack - AppArmor or SElinux setup for pdf viewers, etc. By the way Ubuntu linux comes with already available AppArmor setup for evince pdf viewer /etc/apparmor.d/usr.bin.evince

Ah, that almost made me applaud Ubuntu. Except that Ubuntu's surface is so large, I keep having nightmares of technical intrusion...

If they would use Linux, they would not be able to execute attachments, because they are saved without execution bit. (Those who have enough knowledge how to do it, also understand why its dangerous)

A PDF doesn't need +x to be opened in Reader.

Quote:

Plus for another type of attack - AppArmor or SElinux setup for pdf viewers, etc. By the way Ubuntu linux comes with already available AppArmor setup for evince pdf viewer /etc/apparmor.d/usr.bin.evince

Plus for another type of attack - AppArmor or SElinux setup for pdf viewers, etc. By the way Ubuntu linux comes with already available AppArmor setup for evince pdf viewer /etc/apparmor.d/usr.bin.evince

If they would use Linux, they would not be able to execute attachments, because they are saved without execution bit. (Those who have enough knowledge how to do it, also understand why its dangerous)

A PDF doesn't need +x to be opened in Reader.

Quote:

Plus for another type of attack - AppArmor or SElinux setup for pdf viewers, etc. By the way Ubuntu linux comes with already available AppArmor setup for evince pdf viewer /etc/apparmor.d/usr.bin.evince

How many people actually use it, though?

Just checked, its loaded, I dont remember tweaking that, so it means everybody use it as default (ubuntu 10.04)